This documents describes the APIs, inner working of Interval Merkle Tree (IMT), a cryptographic accumulator that we use to instantiate Nullifier Set which require efficient non-membership proof and member insertion in circuit. Complexity For an IMT of height $h$ of size $N = 2^h$, batch insertion size $K=2^k, h > k$: Both Add and BatchAdd circuit checked non-membership before inserting. Add BatchAdd Native Execution

New Results Multi-threaded: ℹ️ VID Benchmark 🔔 FRIDA l, k, n, prover (ms), communication (byte), verifier (ms) 2048, 64, 128, 431, 2960961, 5 4096, 64, 128, 699, 5844545, 7 8192, 64, 128, 1188, 11611713, 9

hackmd-github-sync-badge :::info Vadim's talk at 2nd BIU gives good intro to why we can use LLL for subset sum in theory, this note focus on "how exactly" in practice for the engineers, as my digest of various related work and why they make sense. Here's the implementation of this SSP solver in python. ::: Recall that the goal of lattice reduction algorithms are to find orthonormal bases (i.e. nice, short, and nearly orthogonal) given an arbitrary bases of the lattice. More technically, they obtain a basis whose Gram-Schmidt vectors are not decreasing too quickly (which implies that the basis vectors are somewhat orthogonal to each other).

hackmd-github-sync-badge :::info This is a note summarizing my experience with making rust libraries no_std compatible (especially for WASM supports). I'm not a WASM expert and all feedback is welcomed! You could also leave comments in the Rust forum post. ::: Why

hackmd-github-sync-badge The encounters of writings that propel me into philosophical contemplation are few and far between. Those that lead me to an uncontrollable note-taking session are even rarer. The long-time classics Siddhartha by Hermann Hesse (translated by Hilda Rosner) has gifted me with such a uniquely enjoyable experience. I started off the book nonchalantly during my daily commute on a public subway. After 10 pages in, on an undisturbed Saturday morning, I found myself locked in my chair, with the pamphlet-thin book on my left hand, and pen and papers on the right. I furiously record down my reaction to the development of the story, distilling my interpretation of the lessons at that moment, worrying that the fleeting and interwoven nature of those ideas would be too consuming to recall and unravel afterwards. Well, I'm glad I did, and here I got a chance to organize these pointers and present my personal takeaways in a slightly more coherent manner.

TODOs [ ] trait for Ring, PolynomialRing, Module [ ] implement cyclotomic polynomial and rings, and arithemetics [ ] trait for Sampler [ ] implement uniform sampler [ ] implement CBD Sampler [ ] (De)compression [ ] (De)serialization [ ] implement NTT [ ] CPA-PKE.KeyGen, Enc, Dec

This is a collection of my digisted notes and attempted solutions to exercises at the end of each chapter in A Graduate Course in Applied Cryptography by Dan Boneh and Victor Shoup.[^history] [^history]: This post is copy-pasted from this original blog post. Chapter 0: Number Theory and Abstract Algebra :page_facing_up: Annotated Appendix A :page_facing_up: Intro to Groups, Rings, and Fields Chapter 2: Encryption :bulb: solution

This module explains how (turbo) PLONK SNARK work. PLONK Constraint System The standard constraint system for $m$ variables and $n$ constraints is specified by selector vectors $\mathbf{q_L}, \mathbf{q_R}, \mathbf{q_O}, \mathbf{q_M}$, and input indices vectors $\mathbf{a},\mathbf{b},\mathbf{c},$ such that an input $x\in \mathbb{F}^{m}$ satisfies the constraint system if: $$ \forall i\in [n]\colon x_{a[i]} * q_L[i] + x_{b[i]} * q_R[i] + x_{a[i]} * x_{b[i]} * q_M[i] = x_{c[i]} * q_O[i] $$ Note that for equation above

To recap the problem Bracha'87 is trying to solve: There are $n$ parties, out of whom at most $f<n/3$ are byzantine, with a designated leader/broadcaster for each protocol run. The protocol runs in an asynchronous[^asyn] and permissioned[^perm] network without the help of Public Key Infrastructure (PKI)/signatures to authenticate messages. The leader starts with some input value $v$ from a predefined value space $v\in\mathcal{V}$ (usually we consider $\mathcal{V}={0,1}$) and a party $i$ that terminates needs to output a value $v_i \in\mathcal{V}$. The two properties our broadcast protocol wants to achieve are: Validity: If the leader is honest, then eventually all honest parties will output leader's input. Agreement: If some honest party outputs a value, then eventually all honest parties will output the same value.

This is a collection of good questions asked by some of your peers regarding your development project, or Solidity in general. ⚠️ Note: Please for project requirement related questions, we strongly encourage you to directly contact the liaison persons from repsective projects: Kyber: contact Desmond on Teams or via email at desmond@kyber.network Pendle: contact Anton on Teams or via email at anton@pendle.finance Bluejay: contact Raymond via email at raymond@bluejay.finance Daimler: contact Srikanth Kaja at srikanth.kaja@daimler.com ⚠️ Note: Please make sure you finish the following before building your project: